The sys admin's daily grind: Whowatch et al.

On Patrol

Article from Issue 155/2013
Author(s):

For no particular reason, Charly occasionally patrols his server farm and hunts down attackers. He has put together a neat toolbox for this job.

Every server with an IP address on the Internet will receive uninvited visits at some point. The usual scans and scripted carpet bombing simply bounce off my machines thanks to clever firewalling, port knocking [1], and additional tools like Fail2ban [2]. To keep attackers from working around my defenses, I use two rootkit hunters: Rootkit Hunter [3] and Chkrootkit [4]. The latter, unfortunately, accuses my DHCP server of packet sniffing:

eth0: PACKET SNIFFER(/usr/sbin/dhcpd[28382])

This result is a known false positive, which I ignore. As an interim report, I can say that my varmint hunters have not seen any prey thus far.

Nevertheless, I occasionally go on patrol to see whether a server is behaving strangely. I like to use whowatch [5] for this purpose. This tool launches in the terminal with a process list; the second column shows me the owner. In the third column, Whowatch tells me whether the user is local or logged on via SSH, Telnet, or in some other way. For remote users, this information is followed by the IP address, and for local users, just :0.

Hotkey Control

I have two ways of navigating this information: I can use the arrow keys to select a line, press Enter, and see a tree view of the associated processes, as shown in Figure 1. Pressing O (owner) hides or displays the process owner; pressing D (details) creates a window with detailed information for the process.

Figure 1: In the tree view, Whowatch shows admins all the processes on the system.

My second option is to type T (tree view) to show all running processes. In this tree view, too, pressing D will display more information. Pressing L (list of signals) shows me the control signals that I can send to the process, such as HUP, INT, TERM, and in an emergency KILL. I can display the overall system status, particularly in terms of memory management, by pressing S (sysinfo), which tells Whowatch to display the total load on the screen, in a style very much reminiscent of top (Figure 2).

Figure 2: Is this top? No, it's Whowatch showing the total load after the S key has been pressed.

I have never found anything dangerous on my server patrols to date, but I do like that warm, safe, and cozy feeling.

The Author

Charly Kühnast is a Unix operating system administrator at the Data Center in Moers, Germany. His tasks include firewall and DMZ security and availability. He divides his leisure time into hot, wet, and eastern sectors, where he enjoys cooking, freshwater aquariums, and learning Japanese, respectively.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • User Monitoring

    Linux tracks all the actions that take place on your system, including when your users were active and what they did.

  • Charly's Column: Shell In A Box

    At some point, any service that can't run fast enough will be put on the web. So, why not do this for remote login? With a little JavaScript and CSS wizardry, a software tool called "Shell In A Box" sends a shell to the browser.

  • Expert Security Intro

    Internet intruders have many ingenious ways of escalating privileges and hiding their presence once they get inside your system. The best protection is to keep them out in the cold.

  • Charly's Column: Nmon

    Nmon monitors system information. You can use the Nmon’s capture mode to output data to a file, then extract the values you need with a script.

  • How to Write a Rootkit

    Today’s rootkits infiltrate a target system at kernel level, thus escaping unwanted attention from administrators. Read on for a practical look at how a kernel rootkit really works.

comments powered by Disqus